A cornerstone of a cybersecurity firm is in their “reverse engineering” capability. It is a necessary part of responding to breaches, keeping up with the state-of-the-art in threats, and enhances the coverage of penetration testing and red-team engagements. While it separates leaders from followers in the industry, very few business stakeholders have had the opportunity to learn what “reverse engineering” means, how it can be a measure of a security service provider’s capability, and how such services can directly benefit an organization.
What is Reverse Engineering?
Software engineering is the process by which software is created. Development teams elicit requirements, create design documents, develop code, and compile that code into software that is distributed to end customers. The deliverable, the end user’s software, is created from code, but does not contain that code. Code, and the design of software that leads to it, is often not distributed to the end user of, say, an operating system or a word processor.
Malicious software, or “malware” is no exception. A computer virus or ransomware worm is software, developed by an individual or team, and deployed with the intent of attacking organizations such as yours. Malware is designed to accomplish its mission (of disruption, extortion, or exfiltration) in a way that is difficult to detect or analyze. The original code and design work by the malware developer is not usually a matter of public record.
Reverse engineering, in information security, is the process used to analyze software to determine its capabilities, design, and intent. With time and effort, a team that has training and experience in reverse engineering can take a sample of malware and “read” it to understand its internal operation. It is, as the name suggests, a reversal of the engineering process designed to unravel the plans of a malicious attacker.
Reverse engineering is not a trivial skill to pick up. It is not taught in many higher education programs, so even a team with a computer science or similar background cannot be expected to have experience in it. As an adjunct professor, I teach a semester-long course in reverse engineering. The few students that are motivated to do well in the course wind up in very high demand. Setting high expectations for the cybersecurity firm your organization chooses to engage with will help ensure you are receiving the highest quality of service from the best talent in the security industry.
What Can Reverse Engineering Do for Me?
Being in-touch with a cybersecurity firm that has an established capability in reverse engineering has many tangible benefits. When an organization is the target of an attack, reverse engineers can examine the attackers’ tools to potentially answer the following questions:
- How did the attackers compromise the target system?
- Did the attack specifically target the impacted organization?
- Were the attackers seeking specific data, or were they taking command of the organization’s computing resources?
- Are the attackers a known nation-state or organized crime threat group?
- Most importantly – From the capabilities of the malware, exactly what records were compromised?
When determining the scope and cost of breach notification, having a clear picture of the attack tools’ capability can keep an organization from having an inaccurate estimate of liability.
In other areas, a firm can serve your organization well with reverse engineering talent:
- An in-house reverse engineering team can assist managed threat huntingand security operations center analysts in the triage and assessment of potential threats, based on the tools that are being deployed by attackers.
- The results of a forensic investigation of potential wrongdoing by an employee can hinge upon the presence or absence of malware that could be the actual source of malicious activity.
- The same skills that allow reverse engineering specialists to analyze malware can be leveraged in penetration tests and red team engagements to find zero-day vulnerabilities in software otherwise thought to be secure.
- A firm with reverse engineering experience can acquire and analyze the latest tools deployed by threat actors world-wide. Firms without this experience will always be a step behind, relying on the presentations and discussions publicly published by the firms that do.
The value of a cybersecurity firm’s reverse engineering capability is the difference between having a cybersecurity firm in your corner that truly understands how to identify, analyze, and react to a real attack, and one that will be at a loss for tomorrow’s threat.
There are no widely-recognized certifications in the area that can be used to measure a firm’s reverse engineering capabilities. Ask your security service providers the hard questions about their capabilities. High expectations will make sure that you’re investing your security budget wisely.